More on the cost of breaches
When I recently expressed my frustration that TJX’s stock hit a one-year high despite revelations of their recent huge security breach, datasecurity over at PCI Compliance Demystified responded by suggesting that the costs to TJX would be very high. His point is valid, as far as it goes, and an article on SearchSecurity.com also argues that the costs to TJX will likely be quite high. Another article in eWeek, however, questions whether PCI really has any teeth. In a sense, the eWeek article mirrored some of my frustration about whether noncompliance really results in enough of a penalty for it to act as a deterrent.
But am I being too harsh? datasecurity suggested that we should weigh the cost of replacing a credit card or the temporary inconvenience of not being able to use your credit card against severe measures such as loss of income to employees if businesses were to fold or be severely punished. His analysis clearly relies on a financial and economic argument. But I am not focused on the finances as much as the societal attitude that seems to accept that my details are not my own and that they can be owned, shared, sold, and even compromised by others. Nor do I accept the notion that unless individuals can demonstrate financial harm or other significant harm as a result of a breach, they should have no cause for action under the kind of “no harm, no foul” rulings in the Acxiom and Wells Fargo lawsuits.
So here’s a hypothetical to mull over, involving three situations:
1. A merchant not in compliance with PCI DSS is hacked, and my name, address, cc number, and details of all my purchases are compromised or made vulnerable.
2. A government medical facility reports that a laptop with patient data has been stolen from an employee’s car, and as a consequence, my name, address, Social Security number, and dates of treatment and diagnostic codes are compromised or made vulnerable. Assume that the employee was authorized to take work home with him/her.
3. A state-owned medical facility that didn’t patch its network security is hacked, and as a consequence, my name, address, cc number, and diagnostic codes and treatment codes are compromised or made vulnerable.
Assuming that all three situations involve records on the same number of individuals and none of them had encrypted the data:
- Do you think that they should all suffer the same consequences, financially or otherwise?
- Which of the three do you think *will* suffer the biggest consequences, financially or otherwise?
Do we need a system that assigns consequences based on the type of data compromised? Is it right or helpful to have businesses pay for their breaches when states may be immune from suit? And is it right for businesses to pay if medical privacy breaches generally do not result in financial losses or financial penalties?
Apart from what datasecurity might think, I am not out to “get” businesses by being unduly harsh. I am equally disgusted with educational institutions, government agencies, and medical facilities that compromise our details. And in that respect, and as much as I appreciate concerns about governmental regulations that just complicate lives needlessly, maybe we do need a law that says that merchants can’t retain records for more than a certain amount of time or that any business, agency, or facility that compiles details must take records off their network after a certain amount of time, etc. Such laws wouldn’t address or prevent breaches, but at least it might limit some of the damage.
OK, now you can call me uninformed and explain why others should even be given a chance or another chance to lose or compromise my personal details, particularly when I have no say as to whether some of them compile my details.
I would not say you are uninformed. The fact that you reach out to others for information and ask questions means you are staying well informed.
I would really like to see someone answer your questions about how business vs government agencies are treated with respect to data compromises.
I *do* think there is a difference in the type of data that is compromised. It is far riskier for someone to have your social security number than it is for them to have your credit card number.
I was just reading “5 Myths of PCI Compliance.” It’s a good post with lots to think about.
It’s “Myth 2″ on the list that I guess I’m skeptical or even jaded about. I’ve spent close to 20 years dealing with governmental agencies who have the authority to impose severe fines or consequences for noncompliance with federal law. In reality, they seldom do. In fact, the U.S. Dept. of Education essentially conceded defeat on enforcement of certain federal laws and suddenly announced that they would no longer serve an enforcement role — that from then on, their role would be to “assist” and “advise” states and educational agencies so that they could come into compliance. Care to guess how well that’s worked out?
The federal govt. also has a mechanism that would allow it to deal with large-scale data breaches of educational institutions, but has never done a thing to cut off funding to institutions that have had repeated breaches. And of course, there is no individual cause of action under the federal law known as FERPA (the Buckley Amendment) that supposedly protects the privacy of educational records.
Similarly, HIPAA went into effect a year before PCI DSS compliance, if memory serves, and there has been almost no penalties or fines. They claim that they’re successful in remediating problems, but look at the number of complaints filed every year and tell me if you think HIPAA has served to prevent privacy breaches.
So… maybe PCI has the potential to levy fines and maybe the multiples add up, but unless they’re actually enforced, I’ll probably remain really skeptical as to whether it prevents many privacy breaches in the business sector. And of course, it constitutes a double or triple standard. On some level, it shouldn’t matter whether it is an educational institution, a corporation, a medical facility, or a government agency that compromises my SSN, cc, or details. Compromised is compromised, isn’t it?